Leaked Code Still Could Bear Malicious Fruit

When news of the leak of a portion of Windows source code broke last month, many in the security community cautioned against overreacting, saying that the leak likely wouldn't lead to a slew of new vulnerability discoveries.

When news of the leak of a portion of Windows source code broke last month, many in the security community cautioned against overreacting, saying that the leak likely wouldnt lead to a slew of new vulnerability discoveries. But that attitude has changed in recent weeks because researchers said that crackers have uncovered several previously unknown vulnerabilities in the code and appear determined to keep the flaws quiet for their private use.
Many in the legitimate security world have shied away from downloading and examining the code, out of fear of legal problems with Microsoft and out of a desire to keep their research unspoiled by what could be corrupt or damaged code. However, malicious crackers have had no such reservations. Immediately following the codes posting on the Internet, members of the security underground began poring over the code, searching for undocumented features and flaws that might give them a new way to break into Windows machines.
There were some early claims of success, including one man who said he found a new vulnerability in Microsoft Corp.s Internet Explorer. However, at the time, security experts said that because the leaked code was so old and was only a fragment of the entire Windows source, there would likely be few actual weaknesses found. But experts who monitor the underground security community said the crackers continued to share the code with one another and have apparently had some success probing for flaws.

"I know of vulnerabilities that have been discovered as a result of the code being exposed to the Internet. I suspect that additional new vulnerabilities will be discovered as time goes on, due to the breach of security," said Ken Dunham, malicious-code manager at iDefense Inc., a security intelligence company in Reston, Va.

The real danger isnt the vulnerabilities that this crowd finds and then posts for all the world to see; its the ones that they keep to themselves for personal use that have researchers worried. Experts said there has been a lot of talk about such finds on cracker bulletin boards and Internet Relay Chat channels of late, indicating that some of the bad guys are busily adding new weapons to their armories.
"We are always keeping an open ear in the underground, and people are definitely finding good use of the leaked source," said Thor Larholm, senior security researcher at Pivx Solutions LLC, based in Newport Beach, Calif. "However, they are also keenly aware that Microsoft is actively pursuing anyone that claims to have a copy of the source, so they are keeping a low profile. So far, we have seen a few publicly announced vulnerabilities based off the leaked source, but I estimate that most of the remaining vulnerabilities will be kept out of public view and part of private weapon arsenals."
Another concern for Microsoft and its millions of customers is that even though the leaked code is more than 10 years old, it forms the base of the companys current operating system offerings, Windows XP and Windows Server 2003. This means that any vulnerabilities found in Windows NT or Windows 2000 could exist in the newer versions as well. This kind of thing keeps security people awake at night, tormented by visions of crackers roaming unchecked through their networks.

"Perhaps the greatest danger is that code in the leaked data is the same as that in nonleaked source code. If that is the case, it may give hackers additional motive and payoff for exploiting something that is a newfound vulnerability that may work in multiple [operating systems]," said iDefenses Dunham.
Check out eWEEK.coms Windows Center at http://windows.eweek.com for Microsoft and Windows news, views and analysis. Be sure to add our eWEEK.com Windows news feed to your RSS newsreader or My Yahoo page: